sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-07-29 17:39:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add --ignore-400

Browse Source 
I encountered a situation where the console - I am running usally at debug level 2 or 3
is flooded with HTTP 400 (which are kind of annoying):

```
[15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:41] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:42] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:43] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:44] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:45] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:46] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:47] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:48] [DEBUG] got HTTP error code: 400 (Bad Request)
[15:02:52] [DEBUG] got HTTP error code: 400 (Bad Request)
```

as this is triggered by almost every request.

This is a workaround for the above scenario so that on the console I see only what I wanted
to, like:

```
[18:51:18] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment)'
[18:51:41] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (Generic comment) (NOT)'
[18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)'
[18:52:06] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL) (original value)'
[18:52:07] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)'
[18:52:08] [INFO] testing 'Boolean-based blind - Parameter replace (CASE) (original value)'
[18:52:08] [INFO] testing 'Oracle AND boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:52:34] [INFO] testing 'Oracle OR boolean-based blind - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace'
[18:52:57] [INFO] testing 'Oracle boolean-based blind - Parameter replace (original value)'
[18:52:58] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause'
[18:52:59] [INFO] testing 'Oracle boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[18:53:00] [INFO] testing 'Oracle boolean-based blind - Stacked queries'
[18:53:23] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[18:53:41] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (XMLType)'
[18:53:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[18:54:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (UTL_INADDR.GET_HOST_ADDRESS)'
[18:54:26] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:54:43] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (CTXSYS.DRITHSX.SN)'
[18:54:57] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[18:55:13] [INFO] testing 'Oracle OR error-based - WHERE or HAVING clause (DBMS_UTILITY.SQLID_TO_SQLHASH)'
[18:55:27] [INFO] testing 'Oracle error-based - Parameter replace'
[18:55:27] [INFO] testing 'Oracle error-based - ORDER BY, GROUP BY clause'
```

Admittedly this is may seem a bit hackish as it only addresses HTTP 400 and doesn't cover other
app specific errors which can happen in other scenarios. It could also be that ``--suppress-400``
would sound better as it would describe better what it does but as there's
``--ignore-401`` so I settled for ``--ignore-400``.
This commit is contained in:
Dirk 2017-07-17 18:54:03 +02:00
parent 1678b606a2
commit 0f4272fabe
2 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
lib/parse/cmdline.py
View File

@ -150,6 +150,9 @@ def cmdLineParser(argv=None):
request.add_option("--auth-file", dest="authFile", request.add_option("--auth-file", dest="authFile",
help="HTTP authentication PEM cert/private key file") help="HTTP authentication PEM cert/private key file")
request.add_option("--ignore-400", dest="ignore400", action="store_true",
help="Suppress HTTP Error 400 (Bad Request)")
request.add_option("--ignore-401", dest="ignore401", action="store_true", request.add_option("--ignore-401", dest="ignore401", action="store_true",
help="Ignore HTTP Error 401 (Unauthorized)") help="Ignore HTTP Error 401 (Unauthorized)")

5
lib/request/connect.py
View File

@ -619,8 +619,9 @@ class Connect(object):
else: else:
raise SqlmapConnectionException(warnMsg) raise SqlmapConnectionException(warnMsg)
else: else:
debugMsg = "got HTTP error code: %d (%s)" % (code, status) if ex.code == httplib.BAD_REQUEST and not conf.ignore400:
logger.debug(debugMsg) debugMsg = "got HTTP error code: %d (%s)" % (code, status)
logger.debug(debugMsg)
except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, binascii.Error, ProxyError, SqlmapCompressionException, WebSocketException, TypeError, ValueError): except (urllib2.URLError, socket.error, socket.timeout, httplib.HTTPException, struct.error, binascii.Error, ProxyError, SqlmapCompressionException, WebSocketException, TypeError, ValueError):
tbMsg = traceback.format_exc() tbMsg = traceback.format_exc()